Virtual private network with mobile nodes

ABSTRACT

A virtual private network has an internal secured portion which connects to an external portion, the network via at least a first gateway and via a second gateway. There are a plurality of workstations including at least one mobile workstation in the external portion. The network automatically changes the point through which the mobile workstation communicates with the internal portion of the network from the first gateway to the second gateway, in response to movement of the mobile workstation. Context information is transferred to the second gateway. The context information includes an identifier of the mobile workstation and may also include material for defining secure communication means by which information is transferable securely between the mobile workstation in the external portion of the network and the internal portion of the network, via the second gateway.

Embodiments of the present invention relate to a virtual private networkcapable of having a plurality of mobile nodes, to the components of thenetwork and to the methods and processes used within the network.

A Virtual Private Network (VPN) provides a network-like connection via apublic network, such as the internet. Remote components of the VPNappear to a user as if they are physically connected via dedicatedcommunication cables, when in fact the public network may form at leastpart of the connection between them.

As the VPN may use a public network, security measures must be taken toprevent unauthorised users hacking into the VPN. The InternetEngineering Task Force (IETF) has developed the Internet ProtocolSecurity (IPsec) standard, which is suitable for securing the VPN. TheIPsec standard specifies an extension to TCP/IP that utilizes dataencryption and digital encryption technology to positively identify auser or network component. Implementation of IPsec, or an equivalentsecurity protocol, on a VPN results in a Secure Virtual Private Network(SVPN).

The VPN is a packet switching network in which data is sent as packets.Each packet has a data payload and a header. The header includes theaddress of the origin of the data and the address of the destination ofthe data. The addresses used may be public IP addresses or private IPaddresses. A public address is a globally unique address, whereas aprivate address is unique in the VPN but not necessarily globally.

A SVPN has a Security Gateway placed at the interface between a privatesecured network and the public unsecured network. The private securednetwork forms an internal portion of the VPN, whereas those parts of theVPN which are part of the public network are external portions of theVPN.

A Security Association (SA) is a context defining a virtual simplexconnection between two end points that affords security services to thetraffic carried between those end points. To secure bi-directionalcommunication between two nodes, two Security Associations (one in eachdirection) are required in both nodes. Among other things each contextindicates an authentication and/or encryption algorithm and a secret (ashared key, or appropriate public/private key pair).

Each node of a SVPN has a Security Policy Database (SPD) and a SecurityAssociation Database (SAD). The SPD specifies the treatment of everyinbound and outbound packet. It also indicates which SA or SA bundle inSAD should be used, if any. The SPD maps traffic to a SAD entry, whichhas the SA parameters for the traffic. The Encapsulating SecurityPayload (ESP) [RFC2406] is one type of Security Association and itprovides confidentiality, data origin authentication, connectionlessintegrity, anti-replay service and limited traffic flow confidentiality.

At present, when a user of a VPN ‘roams’ to a distant external portionof the VPN, typically, (s)he accesses the VPN by directly dialing into asecurity gateway. Thus the connection to the VPN is made via a separatecircuit switched connection of the user's choice. This is not very easyfor a user to administer and the user must manually select the preferredconnection point to the VPN.

It would be desirable to provide for a roaming user to access the VPNwithout having to establish a circuit switched connection to aparticular security gateway.

It would be desirable to provide a solution, in which routing isautomatically optimized, preferably using IPv6.

According to one aspect of the present invention there is provided avirtual private network including an internal secured portion whichconnects via at least a first gateway and a second gateway to anexternal portion, the network comprising: a plurality of workstationsincluding at least one mobile workstation in the external portion; thefirst gateway; the second gateway; and means for automatically changingthe point through which the mobile workstation communicates with theinternal portion of the network from the first gateway to the secondgateway, in response to movement of the mobile workstation.

According to another aspect of the invention there is provided a methodof optimizing the route by which information travels between a mobilenode in an external portion of a network and a correspondent node in aninternal portion of a network, comprising the steps of: determining whena first serving gateway through which the mobile node communicates withthe internal portion of the network, is sub-optimal; identifying asecond gateway; and transferring the point through which the mobile nodecommunicates with the internal portion of the network from the firstserving gateway to the second gateway.

According to a further aspect of the invention there is provided amobile workstation for connecting to an external portion of a networkthat includes an internal secured portion connected, via a first gatewayand a second gateway to the external portion, comprising: means arrangedto receive, via the first secure communication means, an identifier of asecond gateway; and means arranged to change from communicating with theinternal portion of the network through the first gateway tocommunicating via the second gateway.

Embodiments of the invention provide for the easy and automatic changeof a SG during a session, particularly between SG is remote segments ofa VPN. This works automatically on the IP layer and provides optimisedrouting. This reduces any delays associated with key generation andexchange.

For a better understanding of the present invention reference will nowbe made by way of example only to the accompanying drawings in which

FIG. 1A illustrates a virtual private network in which MN1 is locatednear to SG1 and communicates via SG1;

FIG. 1B illustrates a virtual private network after MN1 has moved awayfrom SG1 towards SG2 but continues to communicate via SG1;

FIG. 1C illustrates a virtual private network in which MN1, located nearto SG2, communicates via SG2; and

FIG. 2 illustrates the signaling that allows MN1 to switch fromcommunicating via SG1 to communicating via SG2.

Referring to FIG. 1A, the virtual private network (VPN) 100, comprises afirst segment 102 and a second segment 104. The first and secondsegments are connected via a leased-line connection or the Internet 132.

The first segment 102 serves a particular geographical ornetwork-topological area. It comprises an internal portion 102 a and anexternal portion 102 b. The internal portion 102 a comprises a first VPNCertificate Authority (VCA1) 110, at least a first security gateway(SG1) 112, and an internal Home Agent (HA) 114. The first securitygateway(s) (SG1) 112 mediate between the internal portion 102 a and theexternal portion 102 b. The external portion 102 b comprises a firstmobile node (MN1) 120, and an external home agent (HA) 122. A non-securecommunications medium 130, such as the internet, interconnects the firstmobile node (MN1) 120, the external HA 122 and SG1 112.

The external home agent 122 manages the external home address (HoA) ofMN1, which is visible in the external portion of the VPN. The internalhome agent 114, which is present only if the VPN uses private addresses,manages the internal HoA of MN1, which is visible to the internalportion of the VPN.

The second segment 104 serves a particular geographical ornetwork-topological area, different to that served by the first segment102. It comprises an internal portion 104 a and an external portion 104b. The internal portion 104 a comprises a second VPN CertificateAuthority (VCA2) 150, at least a second security gateway (SG2) 162, aninternal Home Agent (HA) 164 and at least one correspondent node (CN)for MN1. In this example, the CN is a second mobile node (MN2) 166. Thesecurity gateway(s) (SG2) mediate between the internal portion 102 a andthe external portion 102 b. The external portion 104 b comprises anexternal home agent (HA) 172 interconnected to the second securitygateway (SG2) 162 by the non-secure communications medium 130.

MN1 120 has two security associations (uplink and downlink) with SG1 112and two security associations (uplink and downlink) with VCA 1 110.There are also two security associations (uplink and downlink) betweenVCA 1 110 and SG1 112. There are also two security associations (uplinkand downlink) between VCA2 150 and SG2 162. These security associations(SA) are Encapsulating Security Payload Security Associations (ESP SA).They are encrypted channels for communication.

Although the VCA has been described as a separate entity to the SG, itwould be possible to integrate them. There are, however, advantages tohaving them as distinct entities. When the defense is in one layer (SGonly), as opposed to two layers (VCA & SG), the attacker only needs tobreak into one SG in order to severely affect the VPN service. Also, ifthe VCA function is integrated into each SG, then where a segment hasseveral SGs all of them need to have this extra functionality. Thisproliferation may increase the operating costs of the system.

A mobile node (MN), security association (SA), Encapsulating SecurityPayload (ESP), home agent (HA), security gateway (SG) and correspondentnode (CN) are terms well understood by a person knowledgeable in VirtualPrivate Networks, Internet Protocol Security (Ipsec) Protocol and MobileInternet Protocol version 6 (MIPv6).

The VPN Certificate authority (VCA) is a newly devised component of aVPN and the security associations between VCA1 110 and MN1 are newlyimplemented security associations.

If necessary, MN1 executes a Binding Update with SG1. Therefore SG1 mapsthe external HoA of MN2 to the external CoA of MN2 and tunnels packetsaddressed for MN1 from the internal portion 102 a to the external CoA ofMN2 in the external portion 102 b.

FIG. 1A illustrates a VPN 100, in which MN1 120 is in session with CN166, which in this example is MN2. MN1 is in the external portion 102 bof the first segment 102 of the VPN 100 and MN2 is in the internalportion 104 a of the second segment 104. The MN1 120 uses its existingESP SAs with the SG1 112 to communicate with the internal portions 102a, 104 a of the VPN. The SG1 receives an encapsulated packet from MN1via this ESP SAs, decapsulates it and routes it to the CN 166.

Thus when a VPN Mobile Node (MN1 120) using ESP Security Associations(SAs) moves to a new location (FIG. 1B), the ESP tunnel end point in theSecurity Gateway (SG1 112) is no longer the closest or optimal point ofattachment to the VPN 100, especially if MN1 has sessions with a node(MN2) close to its current location in the network topology. This isinefficient. The optimum path for communication between MN1 120 and MN2166 in FIG. 1B would be via SG2 162.

In order to optimise the route, the first VPN segment 102 from which MN1moved and the second VPN segment 104 to which it moved cooperate to movethe context of MN1 to the new location. This context consists of atleast the HoA of MN1, but should also include key material for thecreation of new ESP SAs between MN1 and the optimal security gateway(SG2 162). The context information is managed by a set of separate VPNCertificate Authorities (VCA1 and VCA2). It is moved from SG1 via VCA1to the VCA2 and onto the SG2. However, before this movement, theidentity of the target SG/VCA must be resolved.

Thus there is a “hand-over” between a first security gateway (SG1 112)in a first segment 102 and a second security gateway (SG2 162) in asecond segment 104 which optimizes the routing of traffic. MN1 thencommunicates, after the hand-over, with SG2 162 as illustrated in FIG.1C.

The process of hand-over will now be described in more detail withreference to FIG. 2.

MN1 and MN2 (not shown) are in session. Initially, MN1 communicates withMN2 via SG1 as illustrated in FIG. 1A. MN1 moves so that it is close toSG2, as illustrated in FIG. 1B.

MN1 detects when it has moved close to another possible node at which tolink into the VPN and informs VCA1. One mechanism for achieving this, isto detect the prefix information in advertisement messages multicastfrom the node. When a change is detected, MN1 obtains a new external CoAusing stateless or stateful address autoconfiguration. It then performsa binding update with its HA and SG1. Thus the new external CoA of MN1is sent 230 to SG1.

The external CoA of MN1 has therefore changed at this point, but MN1 isstill communicating via SG1.

SG1 provides 232 the new location data (e.g. external CoA) for MN1 tothe VCA1 using the downlink ESP SA between SG and VCA.

VCA1 updates a location database, which is used to automatically resolvewhether MN1 is using the optimal SG or whether there should be ahand-over to another SG. The location database associates a responsibleinfrastructure node (VCA and/or SG) with a location. The ‘location’ maybe address-space related, geographical or topological. The locationdatabase can be local or remote. Thus querying the database with the newexternal CoA of MN1 may return the present VCA/SG or a new optimalVCA/SG.

When a new optimal VCA/SG has been identified which is in a differentsegment, VCA1 automatically sends 234 the context of MN1 to the VCA ofthe optimal segment (VCA2). The VCAs can communicate with AAAattribute-value-pairs (AVP) between segments, and the VCA functionalitycan be combined with AAA infrastructure. The information sent mayadditionally identify the location of MN1 so that VCA2 can determine theoptimal SG.

When a new optimal SG has been identified which is in the same segment,VCA1 automatically sends the context of MN1 to the optimal SG (not shownin FIG. 2).

The context information includes at least an identifier of MN1 (itsexternal HoA) and should also includes secret material for setting upESP SAs between the new SG and MN1. The secret material should not bethe same as that used for the ESP SAs between MN1 and SG1 or may extendthat context and provide new secret material for new ESP SAs between SG2and MN1. The context information is sent to the new SG/VCA.

As context information is already being transferred to SG2, it is a verylittle extra cost to include new secret material (e.g. keys,better/faster crypto algorithm etc.) as well. This improves security.

The MN context information is protected with the VPN owner's rootcertificate. All parties have the capability of reliably verifyingsomething that has been certified by the VPN owner (protected by itscertificate). Without this, they would have to trust some other nodethat only claims to be authoritative, giving rise to the possibility ofmasquerading attacks.

VCA2 sends 236 the context information to SG2 using an ESP SA betweenSG2 and VCA2.

SG2 updates its SPD database and SAD database. An SPD policy forwardspackets to the HoA of MN1 onwards to the appropriate link, which is thedownlink ESP SA from SG2 to MN1. The SAD defines the appropriate ESP SA.The ESP SA tunnel uses MN1's external HoA.

CA1 commands 238 SG1 using one of the ESP SAs between VCA1 and SG1 toautomatically send 240 to MN1 any extension to MN1's context and theaddress of SG2.

The MN1 receives the secret(s) extending its context, if any, and theaddress of SG2. It enters into its Security Association Database (SAD) anew ESP SA to SG2 and a new ESP SA from SG2. Each entry specifies thealgorithm to be used and the secret(s) to be used. MN1 modifies itsSecurity Policy Database (SPD) so that traffic destined for MN2 will beencrypted using the first SA of the new SA pair and traffic from the MN2will be decrypted using the second SA of the new SA pair. MN1 then sends242 an Acknowledgement message to VCA1 which forwards 244 it to SG2.

In the example of FIG. 2, the updating of the SPD and SAD at SG2 isillustrated as occurring before the updating of the SPD and SAD at MN1.Thus the context is sent to the VCA2 (step 234) before it is sent to theSG1 (step 238). This timing is, however, only illustrative. For example,the updating of the SPD and SAD at MN1 may precede the updating of theSPD and SAD at MN1. Thus the context is sent to the SG1 before it issent to the VCA2. The acknowledgement, in this situation, is sent fromthe SG2 to the MN1 via the VCA1.

MN1 creates new SAs with VCA2 and starts using SG2 and VCA2 instead ofits SG1 and VCA1. In MN1, the packets sent to the session destinationMN2 are simply put to the new ESP SA (to SG2) by the SPD.

The internal HA 114 or external HA 122 of MN1 do not change when theserving SG changes from SG1 to SG2.

Movement of MN1 within external portion 104 b will result in furtherchanges to the external CoA of MN1 but not until the hand-over betweenSGs is complete.

If internal addresses are used in the VPN, the MN1 receives routeradvertisements from SG2 after establishing the new ESP SAs with it andallocates to itself a new internal CoA. It then performs returnroutability and binding procedures with this new internal CoA. MN1 needsto maintain its connection to the SG1 at least until the binding withits internal HA 114 is in place. Thus MN1 may conserve connectivity toSG1 with its original internal CoA at the same time asit has a new CoA.This is a form of ‘phased handover’ in which MN1 is capable ofcommunicating with both SG1 and SG2.

Each VPN segment has only one VCA but possibly several SGs. Each SG issubject to the VCA of its segment (with implied management and trustrelationships). According to the present example, the VCA controls allhand-overs between SGs whether or not they are in the same segment asthe VCA, using additional VCAs if necessary. This is advantageous,because it is easier for a VCA to know (and maintain a relationship oftrust with) a small set of VCAs than a large set of SGs. However, inother examples, the VCA may only control hand-overs between SGs whichare in different segments to it and each SG control the transfer of acontext to another SG within the same segment as the VCA.

The mobile node MN1 may be any suitably configured mobile workstationsuch as a lap-top computer, a personal digital assistant or a cellularmobile telephone

Although embodiments of the present invention have been described in thepreceding paragraphs with reference to various examples, it should beappreciated that modifications to the examples given can be made withoutdeparting from the scope of the invention as claimed. For example,although the above description refers to the transfer of communicationbetween MN1 and the CN MN2 from using SG1 to using SG2, it is stillpossible for MN1 to communicate with a different CN using SG1. That isthe contexts transferred from SG1 to SG2 are not all the contexts of MN1but those for a CN located in the segment of SG2.

Whilst endeavoring in the foregoing specification to draw attention tothose features of the invention believed to be of particular importanceit should be understood that the Applicant claims protection in respectof any patentable feature or combination of features hereinbeforereferred to and/or shown in the drawings whether or not particularemphasis has been placed thereon.

1. A virtual private network including an internal secured portion whichconnects via at least a first gateway and a second gateway to anexternal portion, the network comprising: a plurality of workstationsincluding at least one mobile workstation in the external portion; thefirst gateway; the second gateway; and means for automatically changingthe point through which the mobile workstation communicates with theinternal portion of the network from the first gateway to the secondgateway, in response to movement of the mobile workstation.
 2. A networkas claimed in claim 1, further comprising transfer means fortransferring context information usable by a gateway in communicationswith the mobile workstation, to the second gateway.
 3. A network asclaimed in claim 2, wherein the context information includes anidentifier of the mobile workstation.
 4. A network as claimed in claim 3wherein the identifier is the home address of the mobile workstation. 5.A network as claimed in claim 2, wherein the context informationincludes material for defining secure communication means by whichinformation is transferable securely between the mobile workstation inthe external portion of the network and the internal portion of thenetwork, via the second gateway.
 6. A network as claimed in claim 5,wherein the secure communication means is a security association pairbetween the second gateway and the mobile workstation.
 7. A network asclaimed in claim 2, wherein the transfer means is physically separatefrom the first gateway.
 8. A network as claimed in claim 2, wherein thetransfer means additionally transfers information to the mobileworkstation for enabling communications between the mobile workstationand the second gateway.
 9. A network as claimed in claim 8 wherein theinformation transferred to the mobile workstation enables securecommunication means by which information is transferable securelybetween the mobile workstation in the external portion of the networkand the internal portion of the network, via the second gateway.
 10. Anetwork as claimed in claim 9, wherein the secure communication means isa security association pair between the mobile workstation and thesecond gateway.
 11. A network as claimed in claim 8, wherein theinformation transferred to the mobile workstation comprises the addressof the second gateway.
 12. A network as claimed in claim 8, wherein theinformation transferred to the mobile workstation is transferred betweenthe first gateway and the mobile workstation using an existing securityassociation between the mobile workstation and the first gateway.
 13. Anetwork as claimed in claim 1 wherein the second gateway comprises oneor more databases which are updated to enable the internal portion ofthe network and the mobile workstation in the external portion of thenetwork to communicate via the second gateway.
 14. A network as claimedin claim 13, wherein the one or more databases are a Security PolicyDatabase and a Security Association Database.
 15. A network as claimedin claim 1 wherein the mobile workstation comprises one or moredatabases which are updated to enable the internal portion of thenetwork and the mobile workstation in the external portion of thenetwork to communicate via the second gateway.
 16. A network as claimedin claim 15, wherein the one or more databases are a Security PolicyDatabase and a Security Association Database.
 17. A network as claimedin claim 1 further comprising location detection means for detecting thelocation of the mobile workstation and initiating a change in the pointthrough which the mobile workstation communicates with the internalportion of the network, from the first gateway to a better gateway. 18.A network as claimed in claim 17, wherein the gateway is better becauseit is closer to the mobile workstation and/or it is optimal for routingexisting sessions.
 19. A network as claimed in claim 17, wherein thedetection means is responsive to a location identifier received from themobile workstation.
 20. A network as claimed in claim 19, wherein thelocation identifier is the care-of-address of the mobile workstation.21. A network as claimed in claim 20, wherein the identifier is receivedduring a mobility binding update.
 22. A network as claimed in claim 17,wherein the location detection means is separate from the first gateway.23. A network as claimed in claim 22, wherein the transfer means isphysically separate from the first gateway and wherein the locationdetection means and transfer means are housed together.
 24. A network asclaimed in claim 1 wherein the first gateway and the second gateway arein distinct physically separated segments of the network.
 25. A networkas claimed in claim 1, wherein the mobile workstation communicates withthe internal portion of the network via the first gateway and also viathe second gateway simultaneously for a transition period, beforecommunicating via the second gateway only.
 26. A network as claimed inclaim 1 wherein the mobile workstation is involved in a session with acorrespondent node.
 27. A network as claimed in claim 26, wherein thecorrespondent node is located in the internal portion of the network andthe mobile workstation is located in the external portion of thenetwork.
 28. A method of optimizing the route by which informationtravels between a mobile node in an external portion of a network and acorrespondent node in an internal portion of a network, comprising thesteps of: determining when a first serving gateway through which themobile node communicates with the internal portion of the network, issub-optimal; identifying a second gateway; and transferring the pointthrough which the mobile node communicates with the internal portion ofthe network from the first serving gateway to the second gateway.
 29. Amobile workstation for connecting to an external portion of a networkthat includes an internal secured portion connected, via a first gatewayand a second gateway to the external portion, comprising: means arrangedto receive, via the first secure communication means, an identifier of asecond gateway; and means arranged to change from communicating with theinternal portion of the network through the first gateway tocommunicating via the second gateway.
 30. A mobile workstation asclaimed in claim 23, further comprising means for using a first securecommunication means by which information is transferable securelybetween the internal portion of the network and the mobile workstationvia the first gateway, to receive the identifier of the second gateway;31. A mobile workstation as claimed in claim 23, further comprisingmeans for using a second secure communication means to transferinformation securely between the internal portion of the network and themobile workstation via the second gateway;
 32. (canceled)
 33. (canceled)34. (canceled)